As the 4G network technologies are becoming mature and widely applied, the Voice over IP (VoIP) communication service enabled by the IP Multimedia Sub System (IMS) technology has been more widely applied due to the inherent advantages of access-independency, separation of services from the control layer, etc., of the technology system of the IMS.
In the standard IMS system architecture, a Call Session Control Function (CSCF) in the system operates as a subscriber register server to provide a User Equipment (UE) with a registration service, and to provide the UE with routing and trigger control in call and short message services, and an Application Server (AS) handles a service to the subscriber. The CSCF can be categorized into three different logic entities by their different functions:
A Proxy-CSCF (P-CSCF) is an entrance for an access of the UE to the IME, the P-CSCF is a proxy server of a Subscriber Interface Processor (SIP) and capable of forwarding bidirectional signaling flows.
An Interrogating CSCF (I-CSCF) provides the UE with an entrance to a home network of the UE, and hides the topology of the home network from other networks.
A Serving CSCF (S-CSCF) is the core of the IMS domain, and the S-CSCF performs session control on the UE, and maintains a session state required for the service.
These three logic entities, i.e., the P-CSCF, the I-CSCF, and the S-CSCF can be separated or combined dependent upon an application scenario. If there are a small number of UEs served by the network, then the three logic entities can be combined into a logic entity. For the sake of a convenient description, these three logic entities are referred collectively to as the CSCF, and the functions of the CSCF include all the functions of these three logic entities.
In the IMS system architecture, a general service flow of a session service includes an IMS registration flow and an IMS call flow, and as illustrated in FIG. 1, the standard IMS registration flow is as follows:
S101. The UE sends a subscriber registration request message, including the UE identifier of the UE, to the CSCF;
S102. The CSCF sends a challenge response message carrying a random number RAND, and an authentication vector AUTN (including an MAC and an SQN) to the UE to instruct the UE to authenticate on the IMS network;
S103. The UE authenticates the IMS network upon reception of the challenge response message sent by the CSCF; and in a particular authentication method, the UE calculates an Expect Message Authentication Code (XMAC) value as specified in the 3GPP TS 33.102, and if the XMAC value is the same as the MAC value carried in the challenge response message, and the Sequence Number (SQN) lies in a preset range of values, then the UE determines that the authentication on the IMS network is passed; and after the authentication is passed, the UE calculates a response value RES from the random number RAND, and a key IK of the UE;
S104. The UE resends a subscriber registration request carrying the response value RES to the CSCF;
S105. The CSCF receives the subscriber registration request resent by the UE, and if the response value RES carried in the subscriber registration request is the same as a locally stored Expected Response Value (XRES), then the CSCF determines that the authentication on the UE is passed; and the CSCF retrieves subscriber data of the UE from a Home Subscriber Server (HSS);
S106. The CSCF triggers a service according to the subscriber data, and initiates third-party registration with the AS;
S107. The CSCF sends a subscriber registration success response message to the UE after the UE is registered successfully;
S108. The AS performs third-party subscriber registration on the UE upon reception of the third-party subscriber registration request sent by the CSCF; and
S109. The AS sends a third-party subscriber registration success response message to the CSCF after finishing the third-party subscriber registration on the UE.
After the IMS registration flow is finished, the UE can initiates a call, short message or another IMS service over the IMS network.
As illustrated in FIG. 2, the standard IMS call flow is as follows:
S201. The UE which is a calling UE sends a call request message carrying the UE identifier of the calling UE and the UE identifier of a called UE to the CSCF;
S202. The CSCF triggers a service according to subscriber data of the calling UE and the called UE, and forwards the call request message to the AS, upon reception of the call request message; and the CSCF sends the call request message to the called UE according to address information carried by the called UE being registered;
S203. The called UE sends a call response message to the calling UE through the CSCF and the AS upon reception of the call request message;
S204. The called UE sends a hook-off request message to the calling UE through the CSCF and the AS after being hooked off;
S205. The calling UE sends a hook-off response message to the called UE through the CSCF and the AS upon reception of the hook-off request message;
So far a session is set up between the calling UE and the called UE so that a normal communication process can be performed between the calling UE and the called UE;
S206. After the communication between the calling UE and the called UE is terminated, the calling UE is hooked on and sends a hook-on request message to the called UE through the CSCF and the AS; and
S207. The called UE is hooked on, and sends a hook-on response message to the calling UE through the CSCF and the AS, upon reception of the hook-on request message.
In the IMS registration flow and the IMS call flow above, only the provision of the sessions service is concerned with, so the session messages during the session between the calling UE and the called UE can not be secured effectively. As illustrated in FIG. 3, during the session between the calling UE and the called UE, at this time the session messages are unencrypted plaint-text session messages, so all the contents of communication between the calling UE and the called UE are exposed so that the session messages may be easily wiretapped by an illegal wiretap, thus greatly endangering the session.